From 298eaa0b32533b5edc2a4202527c8b125bcec404 Mon Sep 17 00:00:00 2001
From: Shane McDonald <me@shanemcd.com>
Date: Fri, 29 Mar 2019 15:11:52 -0400
Subject: [PATCH] Move secret key from configmap to secret

---
 .../kubernetes/templates/configmap.yml.j2     |  1 -
 .../kubernetes/templates/deployment.yml.j2    | 29 ++++++++++++++++---
 .../templates/management-pod.yml.j2           | 13 ++++++++-
 .../roles/kubernetes/templates/secret.yml.j2  |  1 +
 4 files changed, 38 insertions(+), 6 deletions(-)

diff --git a/installer/roles/kubernetes/templates/configmap.yml.j2 b/installer/roles/kubernetes/templates/configmap.yml.j2
index 76f3be1f4b..040ff56b83 100644
--- a/installer/roles/kubernetes/templates/configmap.yml.j2
+++ b/installer/roles/kubernetes/templates/configmap.yml.j2
@@ -4,7 +4,6 @@ metadata:
   name: {{ kubernetes_deployment_name }}-config
   namespace: {{ kubernetes_namespace }}
 data:
-  secret_key: {{ secret_key }}
   {{ kubernetes_deployment_name }}_settings: |
     import os
     import socket
diff --git a/installer/roles/kubernetes/templates/deployment.yml.j2 b/installer/roles/kubernetes/templates/deployment.yml.j2
index 78abff3926..c45e5eb735 100644
--- a/installer/roles/kubernetes/templates/deployment.yml.j2
+++ b/installer/roles/kubernetes/templates/deployment.yml.j2
@@ -142,12 +142,19 @@ spec:
             - containerPort: 8052
           volumeMounts:
             - name: {{ kubernetes_deployment_name }}-application-config
-              mountPath: "/etc/tower"
+              mountPath: "/etc/tower/settings.py"
+              subPath: settings.py
               readOnly: true
 
             - name: "{{ kubernetes_deployment_name }}-application-credentials"
               mountPath: "/etc/tower/conf.d/"
               readOnly: true
+
+            - name: {{ kubernetes_deployment_name }}-secret-key
+              mountPath: "/etc/tower/SECRET_KEY"
+              subPath: SECRET_KEY
+              readOnly: true
+
           resources:
             requests:
               memory: "{{ web_mem_request }}Gi"
@@ -170,12 +177,21 @@ spec:
           imagePullPolicy: Always
           volumeMounts:
             - name: {{ kubernetes_deployment_name }}-application-config
-              mountPath: "/etc/tower"
+              mountPath: "/etc/tower/settings.py"
+              subPath: settings.py
               readOnly: true
 
             - name: "{{ kubernetes_deployment_name }}-application-credentials"
               mountPath: "/etc/tower/conf.d/"
               readOnly: true
+
+            - name: {{ kubernetes_deployment_name }}-secret-key
+              mountPath: "/etc/tower/SECRET_KEY"
+              subPath: SECRET_KEY
+              readOnly: true
+          env:
+            - name: AWX_SKIP_MIGRATIONS
+              value: "1"
           resources:
             requests:
               memory: "{{ task_mem_request }}Gi"
@@ -264,8 +280,6 @@ spec:
             items:
               - key: {{ kubernetes_deployment_name }}_settings
                 path: settings.py
-              - key: secret_key
-                path: SECRET_KEY
 
         - name: "{{ kubernetes_deployment_name }}-application-credentials"
           secret:
@@ -276,6 +290,13 @@ spec:
               - key: environment_sh
                 path: 'environment.sh'
 
+        - name: {{ kubernetes_deployment_name }}-secret-key
+          secret:
+            secretName: "{{ kubernetes_deployment_name }}-secrets"
+            items:
+              - key: secret_key
+                path: SECRET_KEY
+
         - name: rabbitmq-config
           configMap:
             name: rabbitmq-config
diff --git a/installer/roles/kubernetes/templates/management-pod.yml.j2 b/installer/roles/kubernetes/templates/management-pod.yml.j2
index 890d251062..12197019c1 100644
--- a/installer/roles/kubernetes/templates/management-pod.yml.j2
+++ b/installer/roles/kubernetes/templates/management-pod.yml.j2
@@ -11,12 +11,18 @@ spec:
       command: ["sleep", "infinity"]
       volumeMounts:
         - name: {{ kubernetes_deployment_name }}-application-config
-          mountPath: "/etc/tower"
+          mountPath: "/etc/tower/settings.py"
+          subPath: settings.py
           readOnly: true
 
         - name: "{{ kubernetes_deployment_name }}-application-credentials"
           mountPath: "/etc/tower/conf.d/"
           readOnly: true
+
+        - name: {{ kubernetes_deployment_name }}-secret-key
+          mountPath: "/etc/tower/SECRET_KEY"
+          subPath: SECRET_KEY
+          readOnly: true
       resources:
 {% if management_mem_limit is defined or management_cpu_limit is defined %}
         limits:
@@ -34,6 +40,11 @@ spec:
         items:
           - key: {{ kubernetes_deployment_name }}_settings
             path: settings.py
+
+    - name: {{ kubernetes_deployment_name }}-secret-key
+      secret:
+        secretName: "{{ kubernetes_deployment_name }}-secrets"
+        items:
           - key: secret_key
             path: SECRET_KEY
 
diff --git a/installer/roles/kubernetes/templates/secret.yml.j2 b/installer/roles/kubernetes/templates/secret.yml.j2
index ec71f1001f..f57691666d 100644
--- a/installer/roles/kubernetes/templates/secret.yml.j2
+++ b/installer/roles/kubernetes/templates/secret.yml.j2
@@ -6,6 +6,7 @@ metadata:
   name: "{{ kubernetes_deployment_name }}-secrets"
 type: Opaque
 data:
+  secret_key: "{{ secret_key | b64encode }}"
   admin_password: "{{ admin_password | b64encode }}"
   pg_password: "{{ pg_password | b64encode }}"
   rabbitmq_password: "{{ rabbitmq_password | b64encode }}"